From debbugs-submit-bounces@debbugs.gnu.org Sat Dec 05 13:23:02 2020 Received: (at 44808) by debbugs.gnu.org; 5 Dec 2020 18:23:02 +0000 Received: from localhost ([127.0.0.1]:48211 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1klcCz-0000Yx-PR for submit@debbugs.gnu.org; Sat, 05 Dec 2020 13:23:01 -0500 Received: from dustycloud.org ([50.116.34.160]:53364) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1klcCx-0000Yk-L6 for 44808@debbugs.gnu.org; Sat, 05 Dec 2020 13:23:00 -0500 Received: from twig (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id DA02926641; Sat, 5 Dec 2020 13:22:58 -0500 (EST) References: <878sat3rnn.fsf@dustycloud.org> <874klgybbs.fsf@zancanaro.id.au> <87im9w2gjt.fsf@dustycloud.org> <87im9nmr5u.fsf@gmail.com> <87eek45lpg.fsf@gnu.org> User-agent: mu4e 1.4.13; emacs 27.1 From: Christopher Lemmer Webber To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#44808: Default to allowing password authentication on leaves users vulnerable In-reply-to: <87eek45lpg.fsf@gnu.org> Date: Sat, 05 Dec 2020 13:22:23 -0500 Message-ID: <87k0twkt9c.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 44808 Cc: Maxim Cournoyer , 44808@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Ludovic Court=C3=A8s writes: > Hi! > > Maxim Cournoyer skribis: > >>>> I'm on board with what you're proposing, and I think Guix should >>>> default to the more secure option, but I'm not sure that an=20 >>>> "average user" (whatever that means for Guix's demographic) would >>>> expect that password authentication is disabled by default. >>> >>> That's fair... I think that >>> "[ ] Password authentication? (insecure)" >>> would be sufficient as an option. How do others feel? >> >> I'm +1 on disabling password access out of the box; especially since >> Guix System makes it easy to authorize SSH keys at installation time. >> We'd have to see if it breaks any of our system tests, but I doubt so. > > Agreed. There are several ways to do that: > > 1. Have the installer emit an =E2=80=98openssh-configuration=E2=80=99 t= hat explicitly > disables password authentication. > > 2. Change the default value of the relevant field in > . > > #2 is more thorough but also more risky: people could find themselves > locked out of their server after reconfiguration, though this could be > mitigated by a news entry. > > Thoughts? > > Ludo=E2=80=99. We could also do a combination of the above, as a transitional plan: do #1 for now, but try to advertise that in the future, the default will be changing... please explicitly set password access to #t if you need this! Then in the *following* release, change the default. This seems like a reasonable transition plan, kind of akin to a deprecation process?